Feb 23 2007

Don't Put Your Company at Risk by Failing to Monitor

Monitoring and failing to monitor electronic communications in the workplace both involve risk.


Photo: Zaid Hamid
Mark D. Rasch, former head of the Justice Department’s Computer Crime Unit

If employees use company e-mail, their employer has the right to monitor it, right? Well, not necessarily. The question of employee privacy regarding electronic resources isn’t so simple and requires that companies develop well-thought-out policies and then take reasonable steps to enforce them.


Written Versus De Facto

Most companies typically practice two policies: the one on paper and the one they actually follow. If you fail to enforce or selectively enforce written policies, your business runs the risk of creating expectations of privacy based not on what you say but on what you actually do.

Last year, the Defense Department tried to enforce its monitoring policy and read e-mail written on a DOD computer used by Lance Cpl. Jennifer Long about how to fake a drug test. The department wanted to use the message in a criminal prosecution against Long. But the U.S. Court of Military Appeals ruled against DOD, stating that the broad warning banner had to be compared against what the department actually did. Similarly, when a California police department tried to read the personal pages on a government-supplied pager, the court also found that the user had an expectation of privacy. Although a policy statement that “the failure to enforce a policy does not constitute a waiver of the policy” might help, nothing beats having a clear, enforceable and enforced policy.

Common Perception

Do your employees have a reasonable expectation of privacy in their use of corporate electronic resources, such as e-mail, the Internet, telephones, voice mail or cell phones? Your gut reaction might be, “No.” But that reaction isn’t practical. Think of the nonelectronic workplace. Employees have privacy expectations in rest rooms, in their wallets or purses and in personal matters (for example, an employee who brings in a medical bill to pay while at work).

It is clear that, at least in the physical world, employees have actual and reasonable expectations of privacy. The same applies to the virtual world. Nobody expects that other employees can or will read e-mail not addressed to them or that employees will have unlimited free rein to examine the contents of other employees’ hard drives. Indeed, the concept of data segregation, authorization and authentication all create some expectations that only properly authorized people will view documents and communications for authorized purposes.

The beginning of any employer-employee relationship must encompass a comprehensive and comprehensible use and monitoring policy that employees consent to in writing. It should state that the failure to monitor particular situations does not waive the company’s right to monitor. This would mean that the company would inform employees that the employees consent to permitting the employer to monitor their e-mail and Internet use for particular purposes, including to ensure that corporate policy is being followed, to prevent fraud or crimes, for technical reasons, when there is reasonable suspicion that some violation has occurred and, the catchall, “for other lawful purposes.”

By creating such a policy, you are conveying to your staff that the company will not simply engage in voyeuristic monitoring of employees’ conduct, but it can and will monitor for appropriate purposes.

Mark D. Rasch, former head of the Justice Department’s Computer Crime Unit, is a lawyer working in Bethesda, Md. He specializes in electronic security, privacy and technology law.